Enterprise Risk Management

Quick links

Frequently Asked Questions about ERM

What is ERM?

Enterprise risk management ("ERM") is a process designed to
anticipate and analyze potential opportunities and threats that
could affect the achievement of the University's objectives.This
process is integral to the management and future direction of the
University, and should be structured, consistent, and
continuous across the entire organization. ERM includes
identifying, assessing, deciding on responses to, and reporting
on strategic, human capital, compliance, operational,
financial, and hazard-related exposures. These exposures include
both "risks" that might hinder UVM's attainment of its strategic
goals, and "opportunities" that could help the University
achieve its strategic goals.

How do I report a risk?

If it is an emergency, dial 911. If it is not an
emergency, report the issue either to your supervisor or the relevant office at UVM.

Why is UVM implementing ERM?

UVM began implementing an ERM program in 2008 following the
recommendations of an external audit report by Deloitte &
Touche. The report determined that UVM had inadequate
internal controls to manage and mitigate its institutional
risk. A follow-up audit by PricewaterhouseCoopers concurred
with Deloitte & Touche's recommendation, noting that ERM
was a “best practice." (Read more about
the history of ERM's program.) Both UVM's
senior administration and its Board of Trustees' Audit
Committee saw the value of taking an institution-wide view of
risk to help UVM achieve strategic goals, lessen uncertainty, and
maintain a competitive advantage.

Ways that ERM can benefit an organization

Support the achievement of strategic objectives

Enhance institutional decision-making

Create a “risk-aware” culture across the organization

Reduce operational surprises and losses

Be ready to act on acceptable opportunities

Assure greater business continuity

Improve deployment of capital by aligning risk and
resources with strategic objectives

Bridge departmental silos while drawing on the expertise of
highly skilled individual managers

What do you mean by opportunity or “upside risk”?

While we tend to think of "risks" as negative events, the ERM
process is also designed to help an organization think about the
"happy surprises" or opportunities that could also present
themselves and which would help, as opposed to hinder, the
achievement of strategic goals. One example of such an opportunity
at UVM was the closure of Trinity College and the opportunity for
UVM to acquire the Trinity campus. The ERM process encourages
thinking about such possibilities and "what if" scenarios in
advance, so that if the opportunity does in fact present itself,
the organization has already thought through the issue and is
poised to move quickly.

It is also true that many activities, initiatives, and
uncertainties can have both positive ("upside") and negative
("downside") impacts. This is similar to weighing the "pros
and cons" of an issue. The risk assessment process seeks to
consider both sides of how a risk could affect the institution's
ability to achieve its strategic goals.

How does enterprise risk management differ from traditional risk
management?

Historically, the traditional risk management function
has tended to focus on safety, hazard-related, and legal
liability issues such as fire prevention, insurance, and
workplace safety. ERM both expands and elevates the risk
management focus to consider the potential impact of all types of risks
(strategic, human capital, compliance, financial, and operational
issues, in addition to safety, hazard-related, and legal
liability exposures) across the entire organization and
examines risks in the context of strategic
objectives. ERM is also unique in looking at the upside
potential of uncertainties as well as the downside (i.e.,
potential losses or damages). Finally, ERM is not a
stand-alone process. It is meant to enhance and be integrated with
management processes such as strategic planning and
budgeting.

What is the relationship between ERM and the other offices at
UVM that deal with risk, such as Compliance Services or Risk
Management & Safety?

Again, because ERM does not replace UVM's normal management
processes, UVM offices and departments with expertise in a
specific area will continue to play their important roles in
helping the institution to manage different types of risk. ERM
plays a coordinating role in collecting risk information from
across the University and ensuring that it is analyzed and
presented to senior decision-makers in a consistent way. To
support this coordination and collaboration, the Vice President
for Finance & Administration, General Counsel, Chief
Compliance & Privacy Officer, Director of Risk Management
& Safety, Senior Strategist for Enterprise Risk &
Planning, and Chief Internal Auditor meet quarterly as the Risk Assurance Group.